Remove env files from git control
Closed this issue · 3 comments
Commit 09fe4ac added the env file under git control. Since this is customizable for each user, it should not be overridden by github. We should have an example file that each user can customize for their own application.
I know we have env.local that overrides this file, but we should not have anything specified by default (privacy issue)
.env
are the defaults. if you need to override some settings, just create a .env.local
with they keys you want to change. Why?
.env
provides recommended defaults and allows the app to run out of the box (if the technical requirements are met, of course)- whenever new environment/setting keys are added, it won't break your app; you don't need to hunt down the changelog/commit history to see why your app breaks after new commits
This was adopted by Facebook's create-react-app
/react-scripts
: https://github.com/facebookincubator/create-react-app/blob/master/packages/react-scripts/template/README.md#what-other-env-files-are-can-be-used
@jozsi I know, I mentioned it above. Yet, it's still not a good idea because it contains sensitive information and by default that should not be exposed since it's a security risk - in the future we might have additional variables in there - I am sure that a lot of people will not bother to change those, which could potentially give an intruder access with the default values.
I'd rather have a setup script that creates the env file on the first run.
I've spent more research on this. dotenv is strongly against having multiple environment files. So we'll stick to .env
only (not committed) and provide a .env.example
file. We use dotenv-safe to validate that all fields exist in .env
, otherwise the process exists with the list of missing fields.
Done via 80a7508 & other commits